The AI landscape doesn't move in one direction — it lurches. Some techniques leap from experiment to table stakes in a single quarter; others stall against regulatory walls, technical ceilings, or organisational inertia that no amount of hype can dislodge. Knowing which is which is the hard part. The State of Play cuts through the noise with a rigorously maintained index of AI techniques across every major business domain — classified by maturity, evidenced by real-world adoption, and updated daily so you always know where you stand relative to the field. Stop guessing. Start knowing.
A daily newsletter distilling the past two weeks of movement in a domain or two — delivered to your inbox while the index updates in the background.
Each dot marks the weighted maturity of practices within a domain — hover for a brief summary, click for more detail
Maintaining auditable records of AI-assisted decisions including inputs, outputs, confidence levels, and human overrides. Includes decision logging and override tracking; distinct from general audit trail analysis which examines process rather than AI-specific decision records.
Audit trail tooling for AI-assisted decisions is production-ready and operationalised at scale in regulated industries. Forward-leaning firms in finance—JPMorgan Chase, Goldman Sachs—and pharma have demonstrated measurable ROI from embedded decision logging, and regulators across the EU, UK, and US now explicitly require auditable AI records. The infrastructure question is settled: vendors ship cryptographic provenance, immutable logs, and compliance-mapped frameworks as GA products (Databricks, Okta, H33). What remains unsettled is the organisational question at scale. Surveys consistently show that fewer than 10% of enterprises running AI in production have mature governance, and the Stanford AI Index 2026 identifies governance gaps (no approval workflows, no verification, no traceability) as primary adoption blockers. This asymmetry — between what the technology can record and what most organisations can operationalise—defines the practice's leading-edge status and the binding constraint on broader deployment.
Regulation is now the primary forcing function. EU AI Act high-risk system requirements take effect December 2, 2027 (technically amended from August 2026), with penalties of up to €15 million or 3% of global revenue for missing or inadequate audit trails. The UK ICO formalised audit trail expectations under GDPR in late 2025, and the SEC's 2025 examination guidance requires explainable, auditable AI decision-making in regulated finance. These mandates are converging on a common architectural requirement: infrastructure-layer logging at the point of system operation, not application-level documentation. EU AI Act Article 12 specifies: automatic recording of events over the system lifetime, traceability with actor/timestamp/action/resource/outcome, queryable logs, and 6-month minimum retention.
The vendor ecosystem has matured significantly. Databricks shipped GA audit trail capability for AI agents in May 2026 via Unity Catalog, consolidating previously fragmented logs (CloudTrail, pgaudit, CloudWatch) into a single queryable system. Okta released Okta for AI Agents (GA) and Auth0 for AI Agents (GA) in May 2026; concurrent survey showed 57% of enterprises rate securing disparate agents as 'high effort' and 69% cite security concerns as adoption gate. Microsoft ships AI-specific audit logs for Copilot and Agent systems in Microsoft 365. H33 deployed fully homomorphic encryption audit trails enabling compliance verification without data exposure. CertifiedData's GA product delivers SHA-256 hashing, Ed25519 signing, and hash-chained records targeting Article 12 compliance. Healthcare adoption is accelerating: pharma deployments (GxP/21 CFR Part 11) have achieved 18-month production runs with zero compliance violations; audit logging is now standard in healthcare AI platforms. The IETF's Verifiable AI Provenance framework and open-source implementations (VeritasChain VCP v1.1) signal formal standardisation. The enterprise AI governance market is projected USD 11.05B by 2036.
Yet implementation deficiencies persist at organisational and vendor levels. Datadog disclosed a 28-day Copilot Studio logging gap for administrative actions despite documentation claims. A Lovable breach exposed 48 days of undetected access due to missing audit trails, violating GDPR 72-hour notification and EU AI Act Article 50. Stanford AI Index 2026 identifies three governance gaps preventing production adoption: no approval workflows (no review gates), no verification processes (no output validation), and no traceability infrastructure (can't reconstruct decisions). Thoropass survey of 536 compliance leaders: 69% report AI adoption outpacing controls, 53% cite evidence collection as audit bottleneck. Only 21% have mature governance for autonomous agents despite 74% expecting full agentic adoption within two years. Market reality: 42% of companies scrapped AI pilots before production; root cause identified as governance gaps—audit trail infrastructure exists but organisations cannot operationalise it. The core issue remains unchanged but sharpened: audit trail tooling is production-ready; audit trail capability in most organisations is nascent. Regulatory enforcement begins December 2, 2027; most organisations remain unprepared.
— TrueFoundry critical assessment: Claude Cowork activity is explicitly excluded from Audit Logs, Compliance API, and Data Exports on all tiers. Documents immediate governance blocker for agentic AI in regulated environments—negative signal essential for tier assessment.
— Federal court ruling (American Council v. NEH, May 7, 2026) establishes mandatory audit trail standard: 'complete record of initial prompt, AI output, source data, human validation steps, final decision.' Court mandates organization-owned, tamper-evident trails. First judicial precedent establishing audit trail as legal requirement.
— Production failures signal: 74% of enterprise AI agent deployments rolled back due to PII exposure; control gaps identified (OAuth scope drift, multi-agent logging, kill-switch propagation absent). Demonstrates audit trail infrastructure failing at scale despite availability.
— Conference presentation covering automated audit trail implementation with tamper-evident architectures and compliance dashboards for evolving global AI regulations.
— R[AI]SING SUN analysis identifies organizational barriers blocking AI maturity: decision authority gaps, role definition failures, missing ownership structures. Implies need for governance infrastructure but not audit trail-specific.
— Intel-sourced analysis requiring audit evidence trails and operating records for AI trust. Names JPMorgan Chase (tens of thousands of engineers, 10–20% productivity gains) and Citi (140K–150K employees) as production deployers with audit infrastructure. McKinsey 2026 responsible AI maturity baseline.
— Databricks Unity Catalog launched GA audit trail capability for AI agents, directly solving invisible agent actions and absent audit logs in standard monitoring. Major cloud vendor confirms audit trail infrastructure is production-ready.
— Global pharma company deployed compliance-tagged audit trails for GxP/21 CFR Part 11: 18-month production run with zero violations, 60% reduction in manual validation. AWS Bedrock with Azure Blob redundancy model demonstrates scalable architecture.
2022-H1: Five evidence items document regulatory and academic recognition of audit trails in AI governance. UK regulators outlined audit landscape gaps; real-world case study shows production deployment in e-commerce; academic frameworks propose audit trail integration; empirical survey identifies standardization challenges.
2022-H2: Six evidence items signal maturation from concept to compliance requirement. Financial regulators confirm large-scale ML deployment (72% of UK financial services firms) and formalize audit trail mandates (Bank of England DP5/22). Academic research reveals deployment challenges: clinical AI performance drift and nascent state of audit tools. Professional auditing bodies establish audit standards. Regulatory pressure accelerates globally (EU AI Act, NYC Local Law 144).
2023-H1: Six evidence items demonstrate transition from mandate to implementation phase. EDPB completed practical auditing project with assessment tools and checklists (Feb 2023). Business surveys show 82% of organizations managing data integrity risks and 77% of leaders prioritizing data reliability, driving audit trail adoption. Real-world deployment emerges: Fujitsu and Hexagon implemented blockchain audit trails in critical infrastructure. Academic research continues identifying transparency and 'black-box' challenges in auditing practice. Regulatory expansion continues: India mandates audit trails in accounting software (April 2023). Critical incident (NHS Office Scripts audit trail failure June 2023) underscores operational dependency on audit infrastructure.
2023-H2: Two evidence items reveal the deployment-regulation gap. NYC Local Law 144 (effective July 2023) mandated bias audits for AI employment tools, yet only 5 companies published required results despite 75% of large firms using such tools—exposing enforcement and compliance challenges. Technical maturity advanced: peer-reviewed research demonstrated tamper-evident logging systems achieving ≈100% tampering detection and >10k events/s throughput, validating audit trail feasibility in high-stakes domains. Regulatory consolidation continued: EU AI Act finalized (December 2023) and US Executive Order drove audit requirements. Professional guidance multiplied across ISACA, KPMG, and Grant Thornton. However, persistent gaps emerged: standards fragmentation, black-box challenges in capturing ML decision context, and critical scarcity of auditors with technical expertise.
2024-Q1: Six evidence items document commercial tooling arrival and persistent organizational adoption gaps. GuardRails and Nomad Data deployed enterprise audit logging platforms; ISACA published formal AI audit guidance; but Deloitte's survey revealed only 13% of organizations had formalized AI oversight despite 94% recognizing AI's business value—exposing a widening deployment-governance gap. Expert assessments highlighted critical accountability challenges: opaque ML systems, non-verifiable decision-making, and high-profile failures (Zillow's $300M write-down) underscored the urgency of audit trail infrastructure. Practical operationalization frameworks emerged (Dawgen Global) addressing the gap between regulatory mandates and production-ready audit-ready systems.
2024-Q2: Six evidence items demonstrate production deployments alongside critical challenges. Trail GmbH deployed automation for audit trail creation (97.5% time savings). Adobe released Journey Optimizer's GA audit logging for AI-driven marketing decisions. Academic research validated blockchain-based immutable audit trails. Real-world government deployment (IRS tax audit case selection using AI for 4,000+ returns) exposed documentation deficiencies via GAO audit. Social services audit framework (ADM+S) road-tested practical assessment toolkit across child/family services deployments. Practitioner perspectives highlighted persistent auditability challenges in legal operations. The window reveals audit trail infrastructure maturing in commercial products while real-world deployments continued to expose implementation gaps.
2024-Q3: Major vendors shipped production audit trail tooling: KPMG Clara (90,000 auditors), Adobe Customer AI audit logs, and Thomson Reuters Audit Intelligence (30 min–2 hour efficiency gains). Real-world financial services deployments validated LLM-based audit search and analysis. EDPB published formal AI audit guidance emphasizing traceability. Professional bodies' adoption metrics (CAQ survey: one in three audit partners deploying AI, yet 66% of committees insufficient on AI governance) revealed growing capability-oversight gap. Vendor tooling ecosystem matured while organizational governance readiness remained distributed and uneven.
2024-Q4: Vendor ecosystem expanded: Valohai launched GA audit log features; FIO Labs documented 90% compliance improvement through automated audit trail creation. Peer-reviewed incident analysis of 202 real-world AI failures identified organizational/governance causes (58%), signaling audit trail infrastructure was available but incident governance remained nascent. Critical adoption gap emerged: AuditBoard survey revealed 61% of audit leaders lack AI expertise and <1% use AI in planning, despite 55% of organizations implementing AI—exposing mismatch between audit trail availability and organizational capability to use it effectively.
2025-Q1: Persistent organizational adoption challenges dominate evidence. Peer-reviewed study of 22 audit professionals identified transparency, explainability, and auditor overreliance as critical barriers to adoption. Critical perspective emerged questioning AI's auditability in regulated domains (medical imaging, financial auditing). Production-scale deployments validated technical feasibility (Goldman Sachs 20B+ daily events), yet industry surveys revealed 70% of companies struggle with compliance implementation and only 23% prepared for AI compliance risks. Window signals sustained tension between mature technical capability and organizational/regulatory adoption barriers.
2025-Q2: Regulatory momentum accelerates adoption pressure while critical barriers persist. SEC 2025 examination guidance mandates explainable and auditable AI decision-making, prompting finance sector automation of audit trail workflows. Vendor ecosystem expands (Nebius cloud platform adds audit logging) alongside grassroots innovation (AuditMyAI open-source framework). Yet McKinsey data reveals 80%+ of companies see no significant AI ROI, and UC Berkeley study shows 68% struggle to move GenAI from pilot to production due to reliability and security concerns. Window confirms audit trail infrastructure maturity but exposes widening gap between technical capability and organizational/regulatory adoption readiness.
2025-Q3: Vendor momentum accelerates while real-world implementation gaps persist. Cloud platforms converge on audit trail capabilities: Microsoft Azure Databricks, Google Firebase, and Oracle AI Data Platform all ship audit logging features (July–September). UK ICO formalizes audit trail expectations under GDPR (September), establishing baseline regulatory standard. Market demand surges: Gartner reports 68% of finance SaaS buyers require auditable AI. Yet critical Microsoft 365 Copilot audit logging failure (months-long gaps) reveals vendor quality assurance challenges and persistent deployment risks. Window signals practice inflection: audit trail capability is unambiguously production-ready, but audit trail confidence in deployed systems requires meticulous implementation and vendor accountability.
2025-Q4: Vendor ecosystem matures while organizational adoption gaps dominate. Dynatrace, Hedera, and Validaitor release/advance audit trail capabilities with framework compliance (NIST, ISO 42001). Named financial deployments validate ROI: JPMorgan Chase and Goldman Sachs show 27% profitability lift and 79% adoption jump (October). Yet Ajith's analysis reveals only 9% of enterprises with AI in production have mature governance; AuditBoard survey finds only 4% of internal audit leaders achieved substantial progress despite 55% of organizations deploying AI. eDiscovery survey (64% integrating LLMs) highlights accuracy concerns over audit trail adoption. Window confirms practice paradox: audit trail infrastructure is production-ready and ROI-validated, but organizational capability, auditor expertise, and governance maturity remain constraint—suggesting leading-edge infrastructure without corresponding organizational readiness for effective deployment.
2026-Jan: Vendor ecosystem expands with structured frameworks (IntelliHuman six-layer proof stack, VeritasChain cryptographic VAP specification and open-source VCP v1.1 implementation). Regulatory escalation: EU AI Act penalties enforcement begins August 2026; SEC examination guidance mandates auditable AI. Market readiness divergence emerges: Mayfield survey shows 42% of Fortune 50–Global 2000 with AI agents in production, yet 60% lack formal governance despite 84% requiring compliance. Informatica data leader survey (n=600) shows 70% GenAI adoption but 75% governance lag. Organizational barriers persist: 61% of internal auditors lack expertise, only 4% report substantial progress, eDiscovery professionals prioritize speed over audit. Window signals practice entering mandatory adoption phase: infrastructure is production-ready and increasingly regulatory-mandated, yet organizational governance readiness and auditor expertise remain critical constraints on effective deployment.
2026-Feb: Vendor momentum accelerates and formal standardization advances. IETF publishes Internet-Draft for Verifiable AI Provenance (VAP) framework (Feb 2026), specifying cryptographic audit trails with conformance levels and external RFC 3161 anchoring. Audital GA product launches (Feb 2026) with cryptographically irrefutable decision records targeting FCA, EU AI Act, and ISO 42001. Organizational adoption barriers intensify: IIA/AuditBoard survey (Feb) shows only 40% of 370+ audit leaders adequately prepared for AI-enabled fraud, with 57% lacking tools and 55% lacking skills. IDC survey (Feb) shows 66% adoption of AI in audit strategy but 64% insist on validation of outputs, emphasizing human oversight necessity. Internal Audit Collective survey reveals less than 25% of 113 auditors use AI extensively due to governance concerns and skill gaps. Critical perspective (Feb) highlights specific auditability failures: Massachusetts lender fined $2.5M, Cigna litigation, EY data showing 99% of organizations reported AI-related losses. Window signals inflection point: audit trail tooling and standardization are rapidly maturing, yet organizational capability—auditor expertise, governance readiness, and confidence in mission-critical deployments—remains the binding constraint limiting broader adoption despite regulatory pressure and vendor innovation.
2026-May: Databricks shipped GA audit trail capability for AI agents via Unity Catalog, consolidating previously fragmented cloud logs into a single queryable system and confirming that major platform vendors now treat agent audit trails as standard infrastructure. A global pharma deployment (GxP/21 CFR Part 11 compliance) completed an 18-month production run with zero compliance violations and 60% reduction in manual validation, while JPMorgan Chase and Citi were cited as production-scale deployers with audit infrastructure embedded at tens-of-thousands-of-engineer scale—establishing audit trails as a prerequisite for enterprise agentic deployments, not an afterthought. Claude Compliance API (launched May 21) provides programmatic audit data access with 28 third-party SIEM integrations, advancing the ecosystem, though coverage remains control-plane only (identity/config changes, not prompt content). Microsoft Purview audit logging reached GA status as standard feature for Copilot Studio agents and computer-using agents, including Dataverse agent identity preview enabling per-agent audit attribution. Okta and Auth0 released GA versions for AI Agent identity and audit trail management.
2026-Mar–Apr: Production deployments and critical implementation gaps converge, exposing the practice's true bottleneck. Datadog Security Labs discloses Copilot Studio audit logging failures (28-day gap, administrative actions unlogged despite documentation). A Lovable breach exposed 48 days of undetected cross-account access attributable to missing audit trails, violating GDPR 72-hour notification and EU AI Act Article 50 obligations—demonstrating the direct regulatory liability cost of audit trail gaps. CertifiedData launched a GA cryptographic audit trail product (SHA-256 hashing, Ed25519 signing, hash-chained records) explicitly targeting EU AI Act Article 12 compliance, with a live public ledger as validation of tamper-evident logging feasibility. BlackLine's financial operations platform operationalized a dual-governance model requiring AI agents to operate under identical audit controls as human users with ISO/IEC 42001 certification. Bradesco (Brazil's largest bank) successfully deployed audit trail infrastructure for agentic AI, achieving 100% audit trail coverage with 83% resolution rate and 30% cost reduction, validating technical feasibility at scale in regulated banking. Market adoption accelerates: 72% of Global 2000 companies operate agentic AI in production (vs. <5% in 2025), with audit/escalation trails identified as prerequisites for production deployment. Yet organizational readiness remains uneven: 42% of companies scrapped AI initiatives before production due to governance gaps; 69% of compliance leaders report AI adoption outpacing controls; 53% cite evidence collection as bottleneck; only 21% have mature governance for autonomous agents despite 74% expecting full agentic AI integration within two years. Ernst & Young study shows only 10% of companies fully prepared to audit AI systems. Independent critical assessments identify audit trail infrastructure availability vs. organizational operationalization as the defining tension—infrastructure is production-ready, but implementation discipline and auditor expertise remain severely constrained. The window reveals practice paradox sharpening: technical capability proven; regulatory mandate imminent (August 2, 2026); organizational execution lagging critically.
2026-Jun: Critical evidence emerges on both capability and constraint barriers. Federal court ruling (American Council v. NEH, May 7, 2026) establishes audit trails as a mandatory legal requirement, setting judicial precedent that organization-owned, tamper-evident audit trails with full decision reconstruction capability are necessary for defensible AI. Production failures accelerate: 74% of enterprise AI agent deployments rolled back due to PII exposure, with control gaps (OAuth scope drift, multi-agent logging, kill-switch propagation) exposing audit trail infrastructure gaps despite availability. Negative signal surfaces: Claude Cowork explicitly excludes agent activity from Audit Logs, Compliance API, and Data Exports across all plan tiers—a documented governance blocker for agentic AI in regulated environments. Regulatory clarity sharpens: EU AI Act Article 12 enforcement timeline specified at December 2, 2027 with €15M or 3% revenue penalties; required infrastructure includes automatic infrastructure-layer logging, Ed25519 signing, hash chaining, 18-field structured event schema, and 6-month minimum retention. Vendor ecosystem signals continued maturation with governance stack positioning as standard requirement, not optional feature. The gap between technical availability and organizational readiness persists as the binding constraint; additionally, vendor implementation gaps (Cowork, partial scope coverage in compliance APIs) expose risk that audit trail infrastructure itself may not be production-mature across all major platforms.